improve docker build

Signed-off-by: Markus Blaschke <[email protected]>
webdevops · Jun 19, 2022 · 987a5b0 · 987a5b0
1 parent 5d0fb3d
commit 987a5b0
Show file tree

Hide file tree

Showing 5 changed files with 169 additions and 63 deletions.
diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml
@@ -3,12 +3,21 @@ name: "CI: docker build"
 on: [pull_request]
 
 jobs:
-
   build:
-
     runs-on: ubuntu-latest
-
     steps:
-    - uses: actions/checkout@v2
-    - name: Build the Docker image
-      run: docker build . --file Dockerfile --tag webdevops/apprelease-exporter:$(date +%s)
+      - uses: actions/checkout@v2
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
+
+      - name: Run Golangci lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: latest
+          args: -E exportloopref,gofmt --timeout=30m
+
+      - name: Build the Docker image
+        run: docker build . --file Dockerfile --tag ${{ github.repository }}:$(date +%s)
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
@@ -1,8 +1,6 @@
 name: "Release: docker"
 
 on:
-  schedule:
-    - cron: '0 6 * * 1'
   push:
     branches:
       - '**'
@@ -13,39 +11,52 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Docker meta
-      id: docker_meta
-      uses: crazy-max/ghaction-docker-meta@v1
-      with:
-        images: webdevops/apprelease-exporter,quay.io/webdevops/apprelease-exporter
-        #tag-sha: true
-
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@v1
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
-
-    - name: Login to DockerHub
-      uses: docker/login-action@v1 
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-    - name: Login to Quay
-      uses: docker/login-action@v1 
-      with:
-        registry: quay.io
-        username: ${{ secrets.QUAY_USERNAME }}
-        password: ${{ secrets.QUAY_TOKEN }}
-
-    - name: Build and push
-      uses: docker/build-push-action@v2
-      with:
-        context: .
-        file: ./Dockerfile
-        platforms: linux/amd64,linux/arm,linux/arm64,linux/ppc64le
-        push: ${{ github.event_name != 'pull_request' }}
-        tags: ${{ steps.docker_meta.outputs.tags }}
-        labels: ${{ steps.docker_meta.outputs.labels }}
+      - uses: actions/checkout@v2
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
+
+      - name: Run Golangci lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: latest
+          args: -E exportloopref,gofmt --timeout=30m
+
+      - name: Docker meta
+        id: docker_meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ${{ github.repository }},quay.io/${{ github.repository }}
+          labels: |
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/${{ github.event.repository.default_branch }}/README.md
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Quay
+        uses: docker/login-action@v1
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
diff --git a/.github/workflows/scheduled-docker.yml b/.github/workflows/scheduled-docker.yml
@@ -0,0 +1,59 @@
+name: "Scheduled: docker"
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
+
+      - name: Run Golangci lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: latest
+          args: -E exportloopref,gofmt --timeout=30m
+
+      - name: Docker meta
+        id: docker_meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ${{ github.repository }},quay.io/${{ github.repository }}
+          labels: |
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/${{ github.event.repository.default_branch }}/README.md
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Quay
+        uses: docker/login-action@v1
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,24 +1,38 @@
-FROM golang:1.15 as build
+#############################################
+# Build
+#############################################
+FROM --platform=$BUILDPLATFORM golang:1.18-alpine as build
+
+RUN apk upgrade --no-cache --force
+RUN apk add --update build-base make git
 
 WORKDIR /go/src/github.com/webdevops/apprelease-exporter
 
-# Get deps (cached)
-COPY ./go.mod /go/src/github.com/webdevops/apprelease-exporter
-COPY ./go.sum /go/src/github.com/webdevops/apprelease-exporter
+# Dependencies
+COPY go.mod go.sum .
 RUN go mod download
 
 # Compile
-COPY ./ /go/src/github.com/webdevops/apprelease-exporter
+COPY . .
 RUN make test
-RUN make lint
-RUN make build
-RUN ./apprelease-exporter --help
+ARG TARGETOS TARGETARCH
+RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} make build
+
+#############################################
+# Test
+#############################################
+FROM gcr.io/distroless/static as test
+USER 0:0
+WORKDIR /app
+COPY --from=build /go/src/github.com/webdevops/apprelease-exporter/apprelease-exporter .
+RUN ["./apprelease-exporter", "--help"]
 
 #############################################
-# FINAL IMAGE
+# Final
 #############################################
 FROM gcr.io/distroless/static
 ENV LOG_JSON=1
-COPY --from=build /go/src/github.com/webdevops/apprelease-exporter/apprelease-exporter /
-USER 1000
+WORKDIR /
+COPY --from=test /app .
+USER 1000:1000
 ENTRYPOINT ["/apprelease-exporter"]
diff --git a/Makefile b/Makefile
@@ -1,10 +1,11 @@
-PROJECT_NAME		:= apprelease-exporter
+PROJECT_NAME		:= $(shell basename $(CURDIR))
 GIT_TAG				:= $(shell git describe --dirty --tags --always)
 GIT_COMMIT			:= $(shell git rev-parse --short HEAD)
-LDFLAGS				:= -X "main.gitTag=$(GIT_TAG)" -X "main.gitCommit=$(GIT_COMMIT)" -extldflags "-static"
+LDFLAGS				:= -X "main.gitTag=$(GIT_TAG)" -X "main.gitCommit=$(GIT_COMMIT)" -extldflags "-static" -s -w
 
 FIRST_GOPATH			:= $(firstword $(subst :, ,$(shell go env GOPATH)))
 GOLANGCI_LINT_BIN		:= $(FIRST_GOPATH)/bin/golangci-lint
+GOSEC_BIN				:= $(FIRST_GOPATH)/bin/gosec
 
 .PHONY: all
 all: build
@@ -15,7 +16,7 @@ clean:
 
 .PHONY: build
 build:
-	CGO_ENABLED=0 go build -a -ldflags '$(LDFLAGS)' -o $(PROJECT_NAME) .
+	GOOS=${GOOS} GOARCH=${GOARCH} CGO_ENABLED=0 go build -a -ldflags '$(LDFLAGS)' -o $(PROJECT_NAME) .
 
 .PHONY: vendor
 vendor:
@@ -28,18 +29,30 @@ image: build
 	docker build -t $(PROJECT_NAME):$(GIT_TAG) .
 
 build-push-development:
-	docker build -t webdevops/$(PROJECT_NAME):development . && docker push webdevops/$(PROJECT_NAME):development
+	docker buildx create --use
+	docker buildx build -t webdevops/$(PROJECT_NAME):development --platform linux/amd64,linux/arm,linux/arm64 --push .
 
 .PHONY: test
 test:
 	go test ./...
 
+.PHONY: dependencies
+dependencies:
+	go mod vendor
+
+.PHONY: check-release
+check-release: vendor lint gosec test
+
 .PHONY: lint
 lint: $(GOLANGCI_LINT_BIN)
-	$(GOLANGCI_LINT_BIN) run -E exportloopref,gofmt --timeout=10m
+	$(GOLANGCI_LINT_BIN) run -E exportloopref,gofmt --timeout=30m
 
-.PHONY: dependencies
-dependencies: $(GOLANGCI_LINT_BIN)
+.PHONY: gosec
+gosec: $(GOSEC_BIN)
+	$(GOSEC_BIN) ./...
 
 $(GOLANGCI_LINT_BIN):
-	curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(FIRST_GOPATH)/bin v1.32.2
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(FIRST_GOPATH)/bin
+
+$(GOSEC_BIN):
+	curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(FIRST_GOPATH)/bin